A ransomware attack on one software vendor exposed 823,000 people's Social Security numbers and bank account data across 80 community banks — and those banks didn't find out for 74 days. That's just one of three stories on today's Security Squawk that show exactly how the vendor trust chain is failing businesses right now. Bryan, Randy, and Reginald break down: a brand-new extortion crew called UNC6783 that's been hitting "several dozen" high-value corporations — including an alleged Adobe breach of 13 million support tickets — by breaking into their outsourced call centers and help desks instead of the companies themselves. Then Microsoft's new research on the Medusa ransomware group (tracked as Storm-1175), which is exploiting zero-day vulnerabilities before patches even exist and can go from initial access to full ransomware deployment in under 24 hours. And finally, the full Marquis Software story: a fintech vendor breach that cascaded through 80 community banks, led to a ransom payment, and ended with Marquis suing their own firewall vendor SonicWall for gross negligence while defending 36+ consumer class action lawsuits. If you trust vendors with your customer data — and you do — this episode is about what happens when that trust gets broken.

Chinese state-linked hackers breached the FBI's own surveillance system — and they got in through a vendor. That's not a spy novel plot; that's a confirmed federal "major incident" declared at the highest severity level under FISMA, and it happened in 2024. That's just the opener. On this episode of Security Squawk, Bryan Hornung, Randy Bryan, and Reginald Andre cover three stories that show exactly what happens when third-party risk, healthcare IT gaps, and a single phone call aren't taken seriously enough. SALT TYPHOON HACKS THE FBI — China's Salt Typhoon threat group targeted a vendor ISP with access to the FBI's court-authorized wiretap surveillance system. The breach was classified as a FISMA "major incident," the federal government's highest severity designation. BROCKTON HOSPITAL CYBERATTACK — April 6, 2026: ambulances diverted, chemo cancelled, pharmacies closed, staff on paper records. The same hospital was breached in 2021. Average healthcare ransomware recovery: $2.5M, 19 days, 33% increase in patient mortality. HIMS & HERS VISHING ATTACK — 2.5 million subscribers. $2.35 billion in revenue. Gone through one phone call. ShinyHunters used a single vishing call to steal an Okta SSO credential and access Zendesk support tickets. CA AG notified. Class action filed. Support the show: buymeacoffee.com/securitysquawk

A ransomware attack walked in through one email, sat silent for two days, then destroyed every computer in an Indiana sheriff's office — and the FBI is still investigating. That's just one of three cybersecurity stories that every business owner needs to hear this week. On this episode of Security Squawk, Bryan Hornung, Randy Bryan, and Reginald Andre cover: CHUBB'S 2026 CYBER CLAIMS REPORT — The average cyber insurance claim for large businesses nearly DOUBLED in one year, jumping from $2.2 million to $4.4 million. That's a 586% increase since 2021. And with premiums projected to rise 15-20% in 2026, the cyber insurance market is about to get expensive — even for small and mid-size businesses. ALAMO HEIGHTS ISD CYBERATTACK — A San Antonio-area school district serving 5,400 students went completely offline. Wi-Fi down. Gmail down. Third-party forensic investigators brought in. 27 Texas school districts hit in two years — and $55 million in state grants existed to prevent this. Only one-third applied. JACKSON COUNTY SHERIFF'S OFFICE RANSOMWARE ATTACK — A dormant ransomware payload entered through a phishing email, waited 48 hours, then activated and spread across every connected system. "Anything that it touched, it corrupted so bad, it won't be able to be used again." The sex offender registry may be permanently lost. Support the show: buymeacoffee.com/securitysquawk

31% of businesses that had backup solutions still failed to restore their data during a ransomware attack according to At-Bay's analysis of 186 real insurance claims. And if you think your business is safe because someone "set up backups," you need to watch this. Meanwhile, there are 4.8 million unfilled cybersecurity jobs globally right now and 61% of midsize businesses have zero dedicated security staff on payroll. Bryan Hornung and Reginald Andre break down exactly how bad the staffing gap has gotten (ISC2's 2025 Cybersecurity Workforce Study shows the pipeline shrank from 31% growth in 2022 to just 12% in 2024), why your IT person is being set up to fail, and how much a single mid-level security analyst actually costs vs. what an MSSP can deliver at the same price. Then they go straight at the backup crisis: the 25-point confidence gap between what IT teams believe about recovery and what At-Bay, Sophos, and Spiceworks data actually show. Ransomware attackers are targeting your backup repositories first before they trigger the main attack. The average business is down 24 days after a ransomware hit, with average recovery costs of $1.53 million. For a business under 500 employees, that can be existential. This episode is for every business owner who has ever said "we have backups" or "IT handles security" and hasn't verified either of those statements. Support the show: buymeacoffee.com/securitysquawk

A ransomware negotiator at DigitalMint secretly ran the attacks he was being paid to stop and then negotiated ransoms on behalf of the companies he'd just hit. This week on Security Squawk, we break down $75 million in extorted ransoms, an Iranian hacker group that destroyed 80,000 Stryker devices in three hours without using any malware, and a new Ponemon Institute survey showing 77% of industrial companies got breached in the past year. DigitalMint: Angelo Martino, a ransomware negotiator at Chicago-based cybersecurity firm DigitalMint, has been charged with running at least 10 ransomware attacks using the BlackCat/ALPHV gang while simultaneously negotiating ransoms for his own victims. Five companies he attacked then hired DigitalMint and were assigned Martino as their negotiator. Ransoms totaled $75.25 million. Two co-conspirators, including another DigitalMint negotiator and an employee at rival firm Sygnia, already pleaded guilty in December. Stryker: On March 11, the Iran-linked hacktivist group Handala wiped approximately 80,000 employee devices at medical device giant Stryker using Microsoft Intune, the same device management tool your IT team uses every day. No malware. No ransomware. Just a compromised admin account and a "remote wipe" command. OT Security Survey: A new Ponemon Institute survey commissioned by Siemens Energy found 77% of organizations running operational technology factories, pipelines, utilities, industrial control systems were breached in the last 12 months. 41% of attacks go completely undetected. Recovery takes seven months on average. Support the show: buymeacoffee.com/securitysquawk

A hacker used an AI chatbot to break into 10 government agencies and steal records on 195 million people — without writing a single line of code. Meanwhile, Cognizant's TriZetto healthcare billing platform sat silently compromised for over a year while 3.4 million patients' data walked out the door. This week on Security Squawk, Bryan Hornung, Randy Bryan, and Reginald Andre break down four stories that will change how you think about cybersecurity risk in 2026. COGNIZANT TRIZETTO + UMMC TriZetto Provider Solutions — a Cognizant company that processes medical billing for thousands of doctors and hospitals — was breached in November 2024. The company didn't discover it until November 2025. One full year. In that time, 3,433,965 patients had their Social Security numbers, Medicare IDs, birth dates, and health insurance details exposed. And in parallel: UMMC was hit by ransomware in February 2026 — shutting down all 35 of its statewide clinics for nine days, canceling surgeries, and sending doctors back to pen and paper. AKZONOBEL AkzoNobel — the $12 billion paint giant behind Dulux — confirmed that the Anubis ransomware gang stole 170GB of data from one of its U.S. sites. Passport scans, private emails, confidential client agreements. They called it "contained." The data is already public. AI AND THE MEXICO GOVERNMENT HACK Fewer than five people used Claude Code AI to breach 10 Mexican government agencies. 150 GB stolen. 195 million identities exposed. The AI initially said no. The attacker talked it into cooperating anyway. The cost of entry for a sophisticated cyberattack just became the price of an AI subscription. [00:00] Intro [02:30] Cognizant TriZetto: 3.4M Patients, 1 Year of Silence [11:00] UMMC: 9-Day Clinic Shutdown Update [15:30] AkzoNobel: "Contained" Means Nothing When the Data Is Already Gone [21:00] Claude Code and the Mexico Hack: AI Just Became a Weapon Anyone Can Afford [27:00] Wrap-Up Support the show: buymeacoffee.com/securitysquawk

This week's Security Squawk episode isn't about phishing. It's about structural weakness. Three separate incidents. Three different industries. One uncomfortable pattern: the systems organizations trust most are expanding risk quietly — and in some cases, architecturally. First, a lawsuit that should make every board member pay attention. Marquis Software Solutions, a fintech serving 74 U.S. banks, is suing SonicWall. The allegation centers on SonicWall's cloud backup system, where firewall configuration backups were allegedly accessible and contained credentials — including MFA scratch codes. Those backups were reportedly used to compromise Marquis, leading to a ransomware incident and downstream exposure. What began as a scoped 5% customer exposure was later reported as potentially impacting all customers. This is not a misconfigured endpoint. This is a control-plane failure. For CEOs, this reframes vendor risk. It's no longer a questionnaire exercise. It's a litigation vector. If a security provider's design exposes authentication artifacts, your internal diligence may not matter. The liability chain now includes vendors and MSPs in a very direct way. For IT Directors, the operational question is simple: what exactly is inside your firewall backups? Are reusable authentication artifacts stored? Who can access vendor-hosted exports? If attackers obtain your configuration backups, can they replay your defenses? For MSPs, the exposure is real. If you manage firewall exports or MFA deployments, you are part of the architecture. And potentially part of the courtroom. Then we shift to UFP Technologies, a medical device manufacturer. Intrusion detected. Billing and shipping label systems disrupted. Data stolen or destroyed. Insurance expected to offset financial impact. But this isn't primarily a data story. Attackers disrupted order-to-cash and fulfillment velocity. In healthcare supply chains, slowing billing and labeling can create immediate executive escalation without touching the factory floor. Modern ransomware groups increasingly target business process choke points — ERP, labeling, scheduling — because leverage doesn't require full encryption anymore. For CEOs, “no material impact expected” is accounting language. Customers measure impact in delayed shipments. For IT leaders, the question becomes operational: can billing, labeling, and fulfillment functions recover independently? Are those systems segmented? Tested? Immutable? For risk managers and insurers, this represents a shift in underwriting focus — from endpoints to process resilience. Finally, the University of Hawaiʻi Cancer Center ransomware incident. Roughly 87,000 study participants directly impacted. But historical datasets, including Social Security numbers collected from driver's license and voter registration data dating back to 1998, expanded potential exposure to nearly 1.2 million individuals. They engaged the threat actors. They received a decryptor. They received “assurances” that data was destroyed. That's not verification. That's negotiation. The uncomfortable truth: legacy identity data becomes modern ransom currency. Research environments often have weaker governance than clinical systems, yet they can contain decades of sensitive identifiers. For boards, the issue isn't just security posture. It's data retention discipline. What obsolete identity data are you still holding? Why? For how long? And who owns the risk? Across these stories, three themes emerge: Control-plane trust is fragile. Operational choke points are the new leverage strategy. Data retention is compounded liability. Cybersecurity is no longer just about stopping intrusion. It's about architectural accountability and governance maturity. If you value independent, executive-level analysis without vendor spin, support the show at: buymeacoffee.com/securitysquawk The real question is this: Are your greatest cyber risks coming from external attackers — or from design decisions you haven't revisited in years?

Hospital Shutdown, Ransomware Surge, Fortinet Failures A hospital doesn't cancel chemotherapy appointments because of a “technical issue.” They cancel them because they've lost operational control. This week, the University of Mississippi Medical Center shut down its entire network after a ransomware attack disrupted systems — including Epic. Clinics closed. Elective procedures paused. Outpatient services halted. Emergency operations activated. Leadership described the shutdown as precautionary. But here's the real question executives should be asking: Why was a full network shutdown necessary? If segmentation is validated… If identity governance is enforced… If lateral movement detection is operationalized… Why does the only safe option become “turn it all off”? In this episode of Security Squawk, we break down what this incident signals about containment confidence, governance maturity, and operational resilience — not just in healthcare, but across every industry that depends on uptime. And we zoom out. Because UMMC isn't happening in isolation. According to TechRadar, ransomware groups have reached an all-time high in 2025. The victim growth rate has doubled. Qilin and other affiliate-driven operators are scaling aggressively. This isn't random chaos. It's industrialization. More fragmentation. More specialization. More execution discipline on the criminal side. Healthcare, public sector, and critical infrastructure are being economically targeted because downtime equals leverage. When systems go dark, negotiation pressure spikes. Then we connect it to something many leaders are still underestimating: Fortinet exploitation patterns. Edge vulnerabilities. VPN credential harvesting. Reinfection cycles months after patches were released. The vulnerability itself isn't the story. The response maturity is. Attackers are repeatedly probing whether organizations: – Patch fast enough – Rotate exposed credentials – Reset trust boundaries after compromise – Validate segmentation integrity – Rebuild identity confidence When those governance steps are skipped, attackers come back. That's not a tooling failure. That's a leadership failure. This episode translates three headlines into one hard truth: Ransomware is no longer just a malware problem. It's a containment confidence problem. For CEOs: If you cannot isolate an intrusion without shutting down revenue operations, your resilience model is fragile. For IT Directors: Active Directory recovery is not a restore-from-backup event. It's a trust re-establishment event. For MSPs: Client environments are operating in a denser criminal ecosystem. Tool stacking without maturity validation will not scale. For Risk Leaders: Financial exposure is no longer limited to ransom. Revenue interruption, regulatory scrutiny, and reputational damage compound quickly — especially in healthcare. We also discuss: • Why attacker communication often signals a second phase • Why affiliate ransomware models are accelerating • Why segmentation validation will become a board-level metric • Why detection speed does not equal governance strength Security Squawk exists to translate cybersecurity chaos into business reality — without vendor spin and without hype. If you value that kind of analysis and want to support independent, executive-focused cybersecurity conversations, you can back the show at: buymeacoffee.com/securitysquawk Your support helps us keep this live, timely, and unfiltered. Because criminals are already running maturity audits. And they invoice in operational shutdown. The question is simple: If it happened to you tomorrow, could you contain it — or would you turn the lights off?